MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48f3ef54ff2ed0b44d5e4836c56a3a8f3214d7214278172ef84166f6d42cc067. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Emotet (aka Heodo)


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash: 48f3ef54ff2ed0b44d5e4836c56a3a8f3214d7214278172ef84166f6d42cc067
SHA3-384 hash: bca9d31cd34c93d91be7c611083a33566fd9623c605a82405f222a301466ee8e0fbe23c9cf8990607150f6a0953988fc
SHA1 hash: 6310b51fca4003fb36252367f058c2e990ba5734
MD5 hash: 07f30f1fa5420f050ea5929af0f95265
humanhash: quebec-lemon-stairway-lamp
File name:qd_34768.xlsm
Download: download sample
Signature Heodo
File size:47'738 bytes
First seen:2022-03-31 20:49:19 UTC
Last seen:Never
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 768:QmBlntZhEI2YmxNskmoKjBvK3HqK88F/G6YzATUfJnXYS6oRM:hBlntTEvDLmXi3JvG6YzATOJnXYSXRM
TLSH T1A623CF5FE5AA6D57C2A6DF3C7F448CB8A70D268E958235D90894AF0E3F046631E4F02D
Reporter @James_inthe_box
Tags:Emotet Heodo xlsm

Intelligence


File Origin
# of uploads :
1
# of downloads :
4'486
Origin country :
DE DE
Mail intelligence
No data
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/vnd.ms-excel.sheet.macroEnabled.12
Has a screenshot:
False
Contains macros:
False
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
–°reating synchronization primitives
DNS request
Creating a file
Creating a process with a hidden window
Moving a recently created file
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Excel4Macro
Payload URLs
URL
File name
http://eles-tech.com/css/KzMysMqFMs/
sharedStrings.xml
Document image
Document image
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger shell32.dll stripped
Label:
Malicious
Suspicious Score:
  9.9/10
Score Malicious:
99%
Score Benign:
1%
Result
Verdict:
MALICIOUS
Details
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Autostarting Excel Macro Sheet
Excel contains Macrosheet logic that will trigger automatically upon document open.
Result
Threat name:
Hidden Macro 4.0 Emotet
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Behaviour
Behavior Graph:
n/a
Threat name:
Document-Excel.Trojan.Emotet
Status:
Malicious
First seen:
2022-03-31 20:49:20 UTC
File Type:
Document
Extracted files:
28
AV detection:
17 of 42 (40.48%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:emotet botnet:epoch4 banker macro suricata trojan xlm
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Downloads MZ/PE file
Emotet
Process spawned unexpected child process
suricata: ET MALWARE W32/Emotet CnC Beacon 3
Malware Config
C2 Extraction:
68.183.94.239:80
104.131.11.205:443
138.197.109.175:8080
187.84.80.182:443
79.143.187.147:443
216.158.226.206:443
167.99.115.35:8080
212.24.98.99:8080
1.234.21.73:7080
206.189.28.199:8080
158.69.222.101:443
164.68.99.3:8080
188.44.20.25:443
185.157.82.211:8080
134.122.66.193:8080
196.218.30.83:443
72.15.201.15:8080
5.9.116.246:8080
176.104.106.96:8080
153.126.146.25:7080
46.55.222.11:443
91.207.28.33:8080
192.99.251.50:443
203.114.109.124:443
51.91.7.5:8080
103.70.28.102:8080
209.250.246.206:443
82.165.152.127:8080
101.50.0.91:8080
151.106.112.196:8080
119.193.124.41:7080
94.23.45.86:4143
51.254.140.238:7080
173.212.193.249:8080
58.227.42.236:80
212.237.17.99:8080
1.234.2.232:8080
45.118.115.99:8080
110.232.117.186:8080
172.104.251.154:8080
159.65.88.10:8080
185.8.212.130:7080
129.232.188.93:443
103.43.46.182:443
103.75.201.2:443
131.100.24.231:80
201.94.166.162:443
45.176.232.124:443
146.59.226.45:443
103.132.242.26:8080
209.126.98.206:8080
197.242.150.244:8080
51.91.76.89:8080
160.16.142.56:8080
176.56.128.118:443
167.172.253.162:8080
189.126.111.200:7080
79.172.212.216:8080
107.182.225.142:8080
50.30.40.196:8080
183.111.227.137:8080
Dropper Extraction:
http://eles-tech.com/css/KzMysMqFMs/

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:Microsoft_XLSX_with_Macrosheet

File information


The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments